An Online Responder can be installed on any computer running Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter. The certificate revocation data can come from a certification authority (CA) on a computer running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or from a non-Microsoft CA.


Internet Information Services (IIS) must also be installed on this computer before the Online Responder can be installed.

The following procedure can be used if none of the Active Directory Certificate Services (AD CS) role services (such as a CA) have been installed on this computer.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.

To install the Online Responder service
  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Click Manage Roles. Under Active Directory Certificate Services, click Add role services. If a different AD CS role service has already been installed on this computer, select the Active Directory Certificate Services check box in the Role Summary pane, and then click Add role services.

  3. On the Select Role Services page, select the Online Certificate Status Protocol check box.

    A message appears explaining that IIS and Windows Activation Service (WAS) must also be installed to support OCSP.

  4. Click Add required role services, and then click Next three times.

  5. On the Confirm Installation Options page, click Install.

  6. When the installation is complete, review the status page to verify that the installation was successful.

Additional considerations

  • Before an Online Responder can be used, you must also create a revocation configuration. See Creating a Revocation Configuration.

  • By default, IIS 7.0 request filtering blocks the plus sign (+), which is used in the URL of delta CRLs. To allow delta CRL retrieval, modify the IIS configuration by setting allowDoubleEscaping=true on the requestFiltering element in the system.web section of IIS configuration. For more information about IIS 7.0 request filter configuration, see IIS 7.0: Configure Request Filters in IIS 7.0 (

    Security Note

    Allowing certain characters to pass through the request filter can result in a reduced security level, which might be unacceptable in some environments. For an explanation of this type of threat, see chapter 12 of Writing Secure Code (

Additional references